Kevin Stear

MONSOON APT campaign activity 7-6-2017

Blog Post created by Kevin Stear Employee on Jul 10, 2017

On July 6, 2017, RSA FirstWatch noted renewed MONSOON APT campaign activity submitted (from a community user in India) to Virus Total.  The submission in this case was an email attachment, Free_Hosting.doc, a Rich Text Format (RTF) document that attempts to exploit CVE-2015-1641. (Note: For a technical walk-through of RTF and its commonly exploited vulnerabilities, we recommend readers take a look at this post by RSA Engineering's Kevin Douglas.)

 

 monsoon badnews rtf

 

The RTF file drops BADNEWS, a backdoor facilitated by a signed Java executable that uses a DLL side-loading technique to evade security detection/prevention.  (A similar technique is employed by PlugX, a backdoor that is well documented by past RSA Research efforts.)  To accomplish this, the RTF writes out several executables, which create MicroScMgmt.exe and jli.dll in C:\Users\analyst\AppData\Roaming\Microsoft and modifies the current users RUN key to add persistence. 

  

monsoon badnews exe

 

monsoon badnews exe

 

The executable also reaches out to 'GET /images/' from www.samanthvisser[.]com, hosted at 162[.]255[.]116[.]10 to retrieve a decoy Free_Hosting.doc to distract users.

 

monsoon badnews rtf

monsoon RTF exploit

 

Meanwhile, MicroScMgmt.exe (md5: BA79F3D12D455284011F114E3452A163) is actually a signed copy of Java Platform SE 6 U39 that side loads (essentially calling an execution path for) jli.dll from C:\Users\analyst\AppData\Roaming\Microsoft in the place of Microsoft's msvcr71.dll from the Windows\System32 folder.  Backdoor established.

 

 monsoon badnews exe

monsoon badnews exe

 

Based on these observations, this activity from early July appears consistent with recent Monsoon campaigns as documented by both Fortinet (part1 and part2) and Forcepoint.  Nice screen shot courtesy of Vitali Kremez, @VK_Intel, who captured our executable in action.

 

monsoon badnews exe

 

Upon infection, initial Command and Control (C2) was observed via an unsolicited 'HTTP POST /6031170831643635.xml' out to feed43[.]com, a domain previously tied to Monsoon (part1 of the Fortinet reports 'hxxp://feed43.com/0414303388550176.xml') and believed to host encrypted data that contains the actual C2 server. 

 

monsoon badnews c2

 

We also observed suspected outbound C2 via 'HTTP POST /1bc29b36f623ba82aaf672/435dfa34fasdf3.php' out direct to IP address 91[.]92[.]136[.]20, likely also passing encrypted (or obfuscated) content.  Also noted outbound communications to en[.]wikipedia[.]org, but the purpose of this connection remains unclear (although possibly relates to past actor usage of forums).

 

monsoon badnews c2

 

With regard to NetWitness detection of Monsoon APT's delivery of BADNEWS, note the behavioral indicators captured in the meta below.

 

netwitness monsoon apt badnews

netwitness monsoon apt badnews

netwitness monsoon apt badnews

 

NetWitness Endpoint (i.e., ECAT) was also able to identify this activity rather easily by monitoring Office applications, WINWORD in the case of BADNEWS, for writing any executables.  Indicators of compromise (IOCs) from ECAT are below.

 

ecat monsoon badnews iocs

 

Additionally, all observed MONSOON BADNEWS domains and IPs have been added to the FirstWatch C2 Domains and IPs feeds and should be available via RSA Live.

 

Thanks to Christopher Ahearn and Ahmed Sonbol for their help with this analysis.

 

 

RSA FirstWatch banner

Outcomes